We're in the process of integrating Dependabot to monitor vulnerabilities within our code repositories in GitHub. Upon its initial activation, Dependabot identified existing vulnerabilities in our dependencies.
However, I just tested adding a new dependency that has known vulnerabilities to the main branch, and it hasn't generated any new alerts. I don't see the new vulnerability in the Dependabot alerts tab
So a few questions:
- Is there a way to kick off Dependabot manually to check for new alerts?
- How often does Dependabot scan for new alerts? Is it different between public and private repos?
- Is there a way to configure how often Dependabot runs?
Talked with GitHub support. Dependabot alerts are triggered by changes to manifest files in the repository and new alerts being published, there is no way to trigger them manually or set a frequency for the scan.
When I was testing it, I didn't add the dependency correctly, so it wasn't picked up by Dependabot. That was my fault. After adding it and merging it into the main branch, Dependabot picked it up right away.